This is a ‘case’ which may seem trivial, but which indirectly affects hundreds of thousands of sites in France, and millions of advertisements. The Transparency & Consent Framework, more commonly known as TCF, the fruit of IAB Europe and its partners, has been deemed contrary to the GDPR. The organization of online advertising players was fined in February, now disputed.
The IAB was awaiting a conviction
However, this standard governs the operation of many consent collection platforms (CMP). Once the consent has been obtained, TCF allows the activation of advertising auction systems between advertisers in order to present targeted advertisements. In July 2020, a new version was released, TCF V2, stricter, but still not strict enough.
Sendinblue announces the acquisition of Meetfox
In operation since 2018, the IAB Europe announces on November 5, 2021 that it expects this standard to be found guilty of non-compliance with the GDPR by the Belgian CNIL, the APD. The plaintiff, although Irish, accused the IAB of having designed ” deceptive “consent” pop-ups that appear on almost all (80%+) European websites and apps “.
Various observations from professionals will evoke an adaptation of TCF to the GDPR slightly pro business “. Adaptation assumed by the IAB, which nevertheless undertook to correct the various violations ” within six months of publication of the final decision “.
The first court decision will fall two months later. The Belgian Data Protection Authority will condemn IAB Europe to a fine of 250,000 euros. A conviction which the organization has appealed. ” The immediate execution of the decision would deprive a remedy of its relevance and effectiveness, and would have irreversible and serious consequences for our organization.,” Townsend Feehan, CEO of IAB Europe, said in a statement.
The beginning of a long process
Indeed, in addition to the fine, the DPA considers that the IAB is responsible for the processing of “TC Strings” and that these are personal data. TC Strings are signals collected by CMPs to collect data, which are then used by advertisers to display their targeted advertisements.
This status of personal data greatly complicates the task of the IAB, which should then ensure a whole host of good practices for all CMPs, site editors, and advertisers. ” The DPA appears not to consider consent or the performance of a contract as an appropriate legal basis for the processing of TC Strings data by IAB Europe ” laments the organization in a report (pdf).
” Removing the grounds on which the DPA considers IAB Europe to be a data controller would reduce the TCF to a simple open source standard with no enforceable policies. Paradoxically, this would render ineffective the objective of consumer protection which underlies the jurisdiction of the DPA, and the apparent reason why the proceedings against IAB Europe exist. We do not believe that this is the purpose of the law, nor that self-regulatory standards should be weakened due to misinterpretation of the law. That’s why we contest this decision,” concludes the IAB in its communicated.
Let’s understand that beyond the fine, the stakes of TCF’s alignment with the GDPR according to the DPA’s decision are significant. Size which should also be equivalent to the duration of the procedure and the APD-IAB exchanges.